System and method for merging encryption data using circular encryption key switching

ABSTRACT

A method for data privacy in a distributed communication system, in which a plurality of client terminals are arranged in a ring configuration merges encrypted streaming data using circular encryption key switching and without sharing any private keys in a distributed communication system. The merged data is then sent to client terminals to be further process by respective client terminals.

STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH

This invention disclosure is related to a government contract numberFA8750-11-C-0098. The U.S. Government has certain rights to thisinvention.

FIELD OF THE INVENTION

The present invention relates to data privacy and encryption and morespecifically to a system and method for merging encryption data usingcircular encryption key switching and without sharing any private keys.

BACKGROUND

A typical system for enabling multiple entities to exchanging data orcommunicate with one another may include a form of a distributedcommunication system, in which multiple parties to a communication areconnected to each other through a network and a central hub or switch.In many circumstances, where that data being exchanged includessensitive information, it is important to maintain privacy from externalsecurity threats. Additionally, in some circumstances, the networkitself may not be reliably secure or trustworthy. For example, variousparties engaging in a teleconference may be speaking about sensitiveinformation from various trusted locations throughout the world, but thetelecommunication system or the central data mixer used to transmit databetween the parties may not be secure or trustworthy.

There has been prior work on the mixing of data of different rates,however none of those approaches are compatible with the homomorphicencryption scheme such that privacy-preserving mixing can be performed,for example, for encrypted voice over IP (VoIP).

Moreover, these prior approaches do not cover encrypted VoIPteleconferencing, where encryption keys do not need to be shared with aVoIP mixer, in a manner that scales linearly with the number ofparticipants (clients). Many consumer VoIP solutions do not supportencryption of the signaling path or the media. As a result, the lack ofencryption makes it relatively easy to eavesdrop on VoIP calls whenaccess to the data network is possible.

SUMMARY OF THE INVENTION

In some embodiments, the present invention is directed to a system andmethod for merging encryption data using circular encryption keyswitching and without sharing any private keys.

In some embodiments, the present invention is a method for data privacyin a distributed communication system, in which a plurality of clientterminals are arranged in a ring configuration. The method includes:receiving by a first client terminal of the plurality of clientterminals, a second public key from a second client terminal of theplurality of client terminals; generating a second key switch hint forthe second client terminal, by the first client terminal, using thesecond public key and a first private key of the first client terminal;transmitting the second key switch hint and first encryption data fromthe first client terminal to a mixer; receiving by the second clientterminal, a third public key from a third client terminal of theplurality of client terminals; generating a third key switch hint forthe third client terminal, by the second client terminal, using thethird public key and a second private key of the second client terminal;transmitting the third key switch hint and second encryption data fromthe second client terminal to the mixer; receiving by the third clientterminal, a first public key from the first client terminal; generatinga first key switch hint for the first client terminal, by the thirdclient terminal, using the first public key and a first private key ofthe first client terminal; transmitting the first key switch hint andthird encryption data from the third client terminal to the mixer;using, by the mixer, the second key switch hint and the first encrypteddata from the first client terminal to switch the first encrypted datato generate a first switched encrypted data; adding the encrypted datarepresentation for the second client terminal to the second encryptiondata from the second client terminal to output a first summed dataencryption; using, by the mixer, the third key switch hint and the firstsummed data encryption to switch the first summed data encryption togenerate a second switched encrypted data; adding the second switchedencrypted data to the third encryption data from the third clientterminal to output a third encryption data representation for the thirdclient terminal; and sending the third encryption data representation tothe third client terminal to be decrypted by the third client terminal.

In some embodiments, the present invention is a distributedcommunication system, including: a mixer to performing operation onencrypted data streams; a first client terminal for receiving a secondpublic key from a second client terminal; generating a second key switchhint for the second client terminal, using the second public key and afirst private key of the first client terminal; and transmitting thesecond key switch hint and first encryption data from the first clientterminal to the mixer; wherein the second client terminal receives athird public key from a third client terminal; generates a third keyswitch hint for the third client terminal, using the third public keyand a second private key of the second client terminal; and transmitsthe third key switch hint and second encryption data to the mixer;wherein the third client terminal receives a first public key from thefirst client terminal; generates a first key switch hint for the firstclient terminal, using the first public key and a first private key ofthe first client terminal; and transmits the first key switch hint andthird encryption data to the mixer; wherein the mixer uses the secondkey switch hint and the first encrypted data from the first clientterminal to switch the first encrypted data to generate a first switchedencrypted data; and adds the encrypted data representation for thesecond client terminal to the second encryption data from the secondclient terminal to output a first summed data encryption; and whereinthe mixer uses the third key switch hint and the first summed dataencryption to switch the first summed data encryption to generate asecond switched encrypted data; adds the second switched encrypted datato the third encryption data from the third client terminal to output athird encryption data representation for the third client terminal; andsends the third encryption data representation to the third clientterminal to be decrypted by the third client terminal.

The mixer may also use the first key switch hint and the thirdencryption data representation to switch the third encryption datarepresentation to a first encryption data representation for the firstclient; and send the first encryption data representation to the firstclient terminal to be decrypted by the first client terminal.

The mixer may also use the second key switch hint and the firstencryption data representation to switch the first encryption datarepresentation to a second encryption data representation for the secondclient; and send the second encryption data representation to the secondclient terminal to be decrypted by the second client terminal.

In some embodiments, the mixer combines the first, second and thirdencryption data representations in a matrix, a first column of thematrix including the first encryption data representation, a secondcolumn of the matrix including the second encryption datarepresentation, and a third column of the matrix including the thirdencryption data representation

BRIEF DESCRIPTION OF THE DRAWINGS

A more complete appreciation of the present invention, and many of theattendant features and aspects thereof, will become more readilyapparent as the invention becomes better understood by reference to thefollowing detailed description when considered in conjunction with theaccompanying drawings in which like reference symbols indicate likecomponents, wherein:

FIG. 1 shows an exemplary block diagram for a distributed communicationsystem, according to some embodiments of the present invention.

FIG. 2 shows an exemplary block diagram depicting keys and hintssharing, according to some embodiments of the present invention.

FIG. 3 is an exemplary block diagram illustrating adding a new clientterminal, according to some embodiments of the present invention.

FIG. 4 is an exemplary block diagram depicting removing a new clientterminal, according to some embodiments of the present invention.

FIG. 5 shows an exemplary hint generation approach, according to someembodiments of the present invention.

FIG. 6 shows data encryption and decryption by a client terminal,according to some embodiments of the present invention.

FIG. 7 depicts an exemplary block diagram of a mixer for circular mixingof encrypted data, according to some embodiments of the presentinvention.

FIG. 8 is an exemplary process flow, according to some embodiments ofthe present invention.

DETAILED DESCRIPTION

In some embodiments, the present invention is a system and method formerging encryption data using circular encryption key switching andwithout sharing any private keys in a distributed communication system,for example, Voice over IP (VoIP) teleconferencing systems, videoconferencing systems, control systems, detection systems, accountingsystems, and the like.

In some embodiments, the present invention provides a system and methodfor parties (e.g., several client terminals) to have privacy-preservingteleconferences, where communication privacy is maintained despite allcommunications of the clients being observed during the teleconference,even at the teleconference mixer. This approach uses an alternative keysharing capability, in which client terminals share their public keyswith each other before a teleconference starts. The present inventionimproves upon the prior approaches, because in the scheme of the presentinvention, the public keys can be shared at any time prior to the startof the data communication that is convenient. This reduces the use ofcommunication and computation resources at the start of thecommunication.

The invention uses key switch hints to delegate decryption capabilityfrom one client (terminal) to another. After delegating decryptioncapability to an intended client (terminal), the client can decrypt theencrypted data, which is delegated to it. As a result, the system andmethod of the present invention require less memory compared to methods,which require a VoIP mixer to store m key switch hints where m is thenumber of client terminals.

In some embodiments, in the case of teleconferencing, the clients encodetheir voice samples with an additive encoding scheme, encrypt theirencoded voice data with an additive homomorphic encryption scheme, andsend their encrypted voice (data) samples to a mixer. The mixer switchesall encrypted data into respective data representations to respectiveclient terminals, where each data representation can be decrypted by theintended (recipient) client. The mixer performs an encrypted homomorphicaddition on the encrypted voice (data). The mixer sends the results backto the clients. The clients then decrypt, decode and play back theresulting decrypted voice (data). This scheme pre-shares public keys foran additive homomorphic encryption scheme, performs key switching andrequires that the clients agree on a common additive encoding scheme.

FIG. 1 shows an exemplary block diagram for a distributed communicationsystem, according to some embodiments of the present invention. Each ofthe clients 102 a, 102 b, 102 c and 102 d samples voice data (in thecase of voice), encodes it, encrypts it and sends the encrypted data 106a, 106 b, 106 c or 106 d to a mixer 104. The mixer 104 operates on theencrypted data and sends the results 108 a, 108 b, 108 c and 108 d backto the respective client terminals, which are then decrypted, decodedand played back (in the case of voice) to the respective clients.

Any encryption system may be used with the system and method of thepresent invention that supports an additive homomorphism and keyswitching which could be implemented in a practical manner. Arepresentational scheme is NTRU which can be made to both a SomewhatHomomorphic Encryption (SHE) scheme and a Fully Homomorphic Encryption(FHE) scheme, and which supports key switching.

FIG. 2 shows an exemplary block diagram depicting keys and hintssharing, according to some embodiments of the present invention. Thediagram illustrates a circular way (ring configuration), in which thepublic encryption keys are shared among the clients and hints sharedwith the mixer, in some embodiments of the present invention. Asdepicted, client terminals (clients) 102 a, 102 b, 102 c and 102 d sharetheir public keys 202 a, 202 b, 202 c and 202 d, in a circular mannerthrough, for example, a mixer (or other entity) 104. However, in someembodiments, a mixer need not be used to share keys, rather, othersources, including any of the client terminals may be used to sharekeys. This sharing only needs to be performed once and could be done ina batch manner, for example, every time a client joins, or every time ateleconference is organized. Mixer 104 sends public keys to clients andthe clients receive the respected public keys (204 a, 204 b, 204 c and204 d) to generate respective key switch hints 206 a, 206 b, 206 c and206 d. These key switch hints are then used to switch respectiveencrypted data to corresponding data representations for each client.For example, as shown, client 102 a sends it public key 202 a to beshared and receives from one of the other clients 102 b, 102 c or 102 dits public keys (202 b, 202 c or 202 d), as shown by arrow 204 a.

FIG. 5 shows an exemplary hint generation approach, according to someembodiments of the present invention. For every client terminal, a keyswitch hint to be sent from that client terminal to the mixer isgenerated. All the key switch hints, but none of the keys, are sharedwith the mixer. As shown, each client terminal receives other clients'respective public keys 508 (for example, from the mixer) and uses itsown private key 504 to generate a client1-to-next-client hint 512, by akey hint generation module 510. For example, client 102 a and receivesclient's 102 b public key 202 b, as shown by 508 in FIG. 5. Client 102 athen uses its own private key 504 to generate a client 102 a-to-client102 b key switch hint 512.

The key switch hint generation procedure depends on the specific type ofadditive homomorphic encryption scheme used. Because private keys arenot shared, no other key switch hints can be generated to take theresult and delegate its decryption to another entity. An example of thekey switching for NTRU case would be to convert a ciphertext of degreeof at most d, encrypted under a secret key f1, into a degree-1ciphertext c2 encrypted under a secret key f2 (which may or may not bethe same as f1). The “hint” is a12=m*f1̂d*f2̂−1 mod q for a short mεRcongruent to 1 modulo p. Then, m=p*e+1 can be chosen for a Gaussiandistributed e.). The key switch operation is then defined as thefunction *:

KeySwitch(c1,a12): c2=a12*c1 mod q.

In some embodiments, the invention uses an arbitrary ordering of theclients. The clients are arbitrarily ordered from 1 to m. For example,at start-up, client2's public key is sent to client1 to generate a keyswitch hint, client3's public key is sent to client2 to generate a keyswitch hint, and client1's public key is sent to client m to generate akey switch hint. In some embodiments, the key switch hints are stored bythe mixer.

FIG. 3 is an exemplary block diagram illustrating adding a new clientterminal, according to some embodiments of the present invention. Clientterminals 302 a, 302 b and 302 c are already in the ring configurationand client4 needs to be added to the ring, for example, as a new user ina conference call or distributed data communication. As shown, when anew client4 is added, it is added to the end of the list, as shown byclient4 306. The new (larger) ring configuration would include client2304 b receiving client1's public key, client3 304 c receiving client2's304 b public key, new client4 306 receiving client3's public key andclient1 304 a receiving new client4's public key.

In general, when a new client m+1 is added, client1's public key is sentto client m+1 to generate a key switch hint and client m+1's public keyis sent to client m to generate a key switch hint. In some embodiments,the key switch hints may be stored by the mixer.

FIG. 4 is an exemplary block diagram depicting removing a new clientterminal, according to some embodiments of the present invention. Asillustrated, when a client terminal 404 is removed, the list isreordered from 1 to m−1, for example, 406 a, 406 b and 406 c. Ingeneral, when client i is removed, the new client i+1's public key issent to the new client i to generate a key switch hint and the newclient i's public key is sent to client i−1 to generate a key switchhint. The new (smaller) ring configuration would include client2 406 breceiving client1's (406 a) public key, client3 406 c receivingclient2's public key, and client1 receiving client3's public key.

FIG. 6 shows data encryption and decryption by a client terminal,according to some embodiments of the present invention. The exampleillustrated by FIG. 6 relates to voice conferencing and includes amicrophone 602, to capture the voice, a sampler 604 to sample the analogvoice signals, and a playback 630 to play back the voice via a speaker632. However, in case of general data communication without voice,microphone 602, sampler 604, playback 630 and speaker 632 may not beneeded. As shown, a client terminal receives the voice data from amicrophone 602, samples the voice data using the sampler 604 and feedsthe sampled data to an encoder 606, which encodes the data and generatesa data vector 608. The data vector 608 is then encrypted with client'sprivate key by an additive homomorphic encryption module 610, using anadditive homomorphic encryption scheme. The encrypted data isrepresented by vector 612, which is then sent 616 to a mixer to beoperated on.

After the mixing operation is performed, the encrypted result 618 isreceived from the mixer, for example, in the form of a vector 622. Theresult 618 is decrypted by a decryption module 624 to generate a vector626 of decrypted data to be decoded by the decoder 628. In case of voicedata, the decrypted data is played back (630) over a speaker 632. In thecase of non-voice data communication, the decoded data is send to adesired destination, without any play back.

In some embodiments, a NTRU algorithm is used as a representationaladditive homomorphic encryption scheme which provides encryption anddecryption functions. The NTRU encryption algorithm is lattice based,which, is based on the shortest vector problem in a lattice. Operationsare based on objects in a truncated polynomial ring with convolutionmultiplication, where all polynomials in the ring have integercoefficients.

FIG. 7 depicts an exemplary block diagram of a mixer for circular mixingof encrypted data, according to some embodiments of the presentinvention. Although a mixer is used in the example of FIG. 7, asdescribed above, other sources, including any of the client terminalsmay be used to share keys, instead of the mixer. As shown encrypted data(702, 704 and 706) and hints (703 a, 703 b, 70-3 c and 703 d) arereceived from respective client terminals. A first key switch operation708 is performed, for example, on the encrypted data 702 from client1,using the key switch hint 703 a generated by client1 for client2. Theresult is added by an adder 710 to the encrypted data 704 from client1.A second key switch operation 712 is performed on the output of theadder 710, using the key switch hint 703 b generated by client2 forclient3. The result of the second key switch operation 712 is added byan adder 714 to the encrypted data 706 from client3.

The output of the adder 714 is an encrypted data representation (result)724 for the client3 that is sent to client 3. A third key switchoperation 716 is performed on the output of the adder 714, using the keyswitch hint 703 c generated by client3 for client1. The output of thethird key switch operation 716 is an encrypted data representation(result) 722 for the client1 that is sent to client 1. Furthermore, afourth key switch operation 718 is performed on the output of the thirdkey switch operation 716, using the key switch hint 703 d generated byclient1 for client2. The output of the fourth key switch operation 718is an encrypted data representation (result) 720 for the client2 that issent to client 2.

In some embodiments, the encrypted data representation (724, 722 and720) for the clients 3, 1 and 2, are combined in a matrix, in which eachcolumn of the matrix represents one of the encrypted datarepresentation. The appropriate matrix column is then sent to thecorresponding client. In some embodiments, the entire matrix may be sentto all the clients. Each client then extracts its own encrypted datarepresentation (result) from the matrix. In the case of voice, it may bedesired not to send back the same voice generated by a specific clientto that specific client. Consequently, the entire matrix, minus thecolumn to the specific client is sent to that specific client.

In some embodiments, for a representational NTRU-based additivehomomorphic encryption scheme, the mixer would need to know the ringdimension and ciphertext modulus. This information may be embedded inthe key switch hints. In some embodiments, each of the clients uses anauthentication scheme to guarantee they are receiving public keys fromintended recipients of their data. Conventional authentication schemesare used to authenticate a first client to a second client.

FIG. 8 is an exemplary process flow, according to some embodiments ofthe present invention. In block 802, a second public key is receivedfrom a second client terminal of the plurality of client terminals. Asecond key switch hint is generated for the second client terminal, bythe first client terminal, using the second public key and a firstprivate key of the first client terminal, in block 804. The second keyswitch hint and first encryption data from the first client terminal isthen transmitted to a mixer or equivalent thereof, in block 806. Inblock 808, a third public key is received from a third client terminaland a third key switch hint for the third client terminal is generatedby the second client terminal, using the third public key and a secondprivate key of the second client terminal, in block 810. The third keyswitch hint and second encryption data are then transmitted from thesecond client terminal to the mixer, in block 812.

In block 814, a first public key is received from the first clientterminal, and a first key switch hint is generated for the first clientterminal by the third client terminal, using the first public key and afirst private key of the first client terminal, in block 816. The firstkey switch hint and third encryption data from the third client terminaldata are then transmitted to the mixer, in block 818.

In block 820, the mixer uses the second key switch hint and the firstencrypted data from the first client terminal to switch the firstencrypted data to generate a first switched encrypted data. The mixerthen adds the encrypted data representation for the second clientterminal to the second encryption data from the second client terminalto output a first summed data encryption, in block 822. The mixer thenuses the third key switch hint and the first summed data encryption toswitch the first summed data encryption to generate a second switchedencrypted data, in block 824. The mixer then adds the second switchedencrypted data to the third encryption data from the third clientterminal to output a third encryption data representation for the thirdclient terminal, in block 826. In block 828, the mixer sends the thirdencryption data representation to the third client terminal to bedecrypted by the third client terminal.

Additionally, the mixer may use the first key switch hint and the thirdencryption data representation to also switch the third encryption datarepresentation to a first encryption data representation for the firstclient and send the first encryption data representation to the firstclient terminal to be decrypted by the first client terminal.

Moreover, the mixer may use the second key switch hint and the firstencryption data representation to switch the first encryption datarepresentation to a second encryption data representation for the secondclient, and send the second encryption data representation to the secondclient terminal to be decrypted by the second client terminal. This way,no private key is shared by any client terminal with any other entity,which results in a much better security and privacy of the data.

In some embodiments, for example, in the case of voice communication,for the situation where a client would not want to receive its own voicedata in the summation, the summation operations would be over a matrixaddition where the added data in each column is the result for eachclient. This added column may be set to 0, if the correspondingrecipient of the column is not intended to receive the voice data beingadded and all other columns would be the data being added. Redundantcolumn data need not be carried through the process. For example, if cijrepresents the ciphertext from client i in the key j representation, thefirst summation would be [c22,c12,c12+c22]. The result of the 2ndsummation would be [c23+c33,c13+c33,c13+c23,c13+c23+c33]. The result ofa 3rd summation would be[c24+c34,c44,c14+c34+c44,c14+c24+c34,c14+c24+c34+c44].

It will be recognized by those skilled in the art that variousmodifications may be made to the illustrated and other embodiments ofthe invention described above, without departing from the broadinventive scope thereof. It will be understood therefore that theinvention is not limited to the particular embodiments or arrangementsdisclosed, but is rather intended to cover any changes, adaptations ormodifications which are within the scope and spirit of the invention asdefined by the appended claims.

What is claimed is:
 1. A computer implemented method for data privacy ina distributed communication system, in which a plurality of clientterminals are arranged in a ring configuration, the method comprising:receiving by a first client terminal of the plurality of clientterminals, a second public key from a second client terminal of theplurality of client terminals; generating a second key switch hint forthe second client terminal, by the first client terminal, using thesecond public key and a first private key of the first client terminal;transmitting the second key switch hint and first encryption data fromthe first client terminal to a mixer; receiving by the second clientterminal, a third public key from a third client terminal of theplurality of client terminals; generating a third key switch hint forthe third client terminal, by the second client terminal, using thethird public key and a second private key of the second client terminal;transmitting the third key switch hint and second encryption data fromthe second client terminal to the mixer; receiving by the third clientterminal, a first public key from the first client terminal; generatinga first key switch hint for the first client terminal, by the thirdclient terminal, using the first public key and a first private key ofthe first client terminal; transmitting the first key switch hint andthird encryption data from the third client terminal to the mixer;using, by the mixer, the second key switch hint and the first encrypteddata from the first client terminal to switch the first encrypted datato generate a first switched encrypted data; adding the encrypted datarepresentation for the second client terminal to the second encryptiondata from the second client terminal to output a first summed dataencryption; using, by the mixer, the third key switch hint and the firstsummed data encryption to switch the first summed data encryption togenerate a second switched encrypted data; adding the second switchedencrypted data to the third encryption data from the third clientterminal to output a third encryption data representation for the thirdclient terminal; and sending the third encryption data representation tothe third client terminal to be decrypted by the third client terminal.2. The method of claim 1, further comprising: using, by the mixer, thefirst key switch hint and the third encryption data representation toswitch the third encryption data representation to a first encryptiondata representation for the first client; and sending the firstencryption data representation to the first client terminal to bedecrypted by the first client terminal.
 3. The method of claim 2,further comprising: using, by the mixer, the second key switch hint andthe first encryption data representation to switch the first encryptiondata representation to a second encryption data representation for thesecond client; and sending the second encryption data representation tothe second client terminal to be decrypted by the second clientterminal.
 4. The method of claim 3, further comprising: combining thefirst, second and third encryption data representations in a matrix, afirst column of the matrix including the first encryption datarepresentation, a second column of the matrix including the secondencryption data representation, and a third column of the matrixincluding the third encryption data representation.
 5. The method ofclaim 4, further comprising sending one or more columns of the matrix toa respective client terminal.
 6. The method of claim 4, furthercomprising sending the matrix to all of the client terminals.
 7. Themethod of claim 4, further comprising replacing the content of arespective column of the matrix corresponding to a respective clientterminal with all zeroes, before sending the matrix to the respectiveclient terminal.
 8. The method of claim 1, wherein the datacommunication between the plurality of client terminals is one or morevoice data communication and video data communication.
 9. The method ofclaim 1, wherein the first encryption data, the second encryption dataand the third encryption data are encoded before being encrypted by therespective client terminal.
 10. The method of claim 1, wherein each ofthe first, second and third encryption data representations is decryptedand decoded by a respective client terminal.
 11. The method of claim 1,further comprising: adding a new fourth client terminal to the ringconfiguration of the plurality of the client terminals and arranging thering configuration so that the second client terminal receives the firstpublic key, the third client terminal receives the second public key,the new fourth client terminal receives the third public key and thefirst client terminal receives a fourth public key of the new fourthclient terminal.
 12. The method of claim 8, further comprising: removingthe fourth client terminal from the ring configuration of the pluralityof the client terminals and arranging the ring configuration so thatsecond client terminal receives the first public key, the third clientterminal receives the second public key, and the first client terminalreceives the third public key.
 13. The method of claim 1, furthercomprising: authenticating a sending client terminal by a receivingclient terminal.
 14. A distributed communication system, in which aplurality of client terminals are arranged in a ring configuration,comprising: a mixer to performing operation on encrypted data streams; afirst client terminal for receiving a second public key from a secondclient terminal; generating a second key switch hint for the secondclient terminal, using the second public key and a first private key ofthe first client terminal; and transmitting the second key switch hintand first encryption data from the first client terminal to the mixer,wherein the second client terminal receives a third public key from athird client terminal; generates a third key switch hint for the thirdclient terminal, using the third public key and a second private key ofthe second client terminal; and transmits the third key switch hint andsecond encryption data to the mixer, wherein the third client terminalreceives a first public key from the first client terminal; generates afirst key switch hint for the first client terminal, using the firstpublic key and a first private key of the first client terminal; andtransmits the first key switch hint and third encryption data to themixer, wherein the mixer uses the second key switch hint and the firstencrypted data from the first client terminal to switch the firstencrypted data to generate a first switched encrypted data; and adds theencrypted data representation for the second client terminal to thesecond encryption data from the second client terminal to output a firstsummed data encryption, and wherein the mixer uses the third key switchhint and the first summed data encryption to switch the first summeddata encryption to generate a second switched encrypted data; adds thesecond switched encrypted data to the third encryption data from thethird client terminal to output a third encryption data representationfor the third client terminal; and sends the third encryption datarepresentation to the third client terminal to be decrypted by the thirdclient terminal.
 15. The distributed communication system of claim 14,wherein the mixer is further configured to use the first key switch hintand the third encryption data representation to switch the thirdencryption data representation to a first encryption data representationfor the first client; and send the first encryption data representationto the first client terminal to be decrypted by the first clientterminal.
 16. The distributed communication system of claim 15, whereinthe mixer is further configured to use the second key switch hint andthe first encryption data representation to switch the first encryptiondata representation to a second encryption data representation for thesecond client; and send the second encryption data representation to thesecond client terminal to be decrypted by the second client terminal.17. The distributed communication system of claim 16, wherein the mixeris further configured to combine the first, second and third encryptiondata representations in a matrix, a first column of the matrix includingthe first encryption data representation, a second column of the matrixincluding the second encryption data representation, and a third columnof the matrix including the third encryption data representation. 18.The distributed communication system of claim 17, wherein the mixer isfurther configured to send a respective column of the matrix to arespective client terminal.
 19. The distributed communication system ofclaim 17, wherein the mixer is further configured to send the matrix toall of the client terminals.
 20. The distributed communication system ofclaim 17, wherein the mixer is further configured to replace the contentof a respective column of the matrix corresponding to a respectiveclient terminal with all zeroes, before sending the matrix to therespective client terminal.